src/dns/desec.js

'use strict';

const assert = require('node:assert'),
    constants = require('../constants.js'),
    BoxError = require('../boxerror.js'),
    debug = require('debug')('box:dns/vultr'),
    dig = require('../dig.js'),
    dns = require('../dns.js'),
    safe = require('safetydance'),
    timers = require('timers/promises'),
    superagent = require('@cloudron/superagent'),
    waitForDns = require('./waitfordns.js');

const DESEC_ENDPOINT = 'https://desec.io/api/v1';

function formatError(response) {
    return `deSEC DNS error [${response.status}] ${response.text}`;
}

function removePrivateFields(domainObject) {
    delete domainObject.config.token;
    return domainObject;
}

function injectPrivateFields(newConfig, currentConfig) {
    if (!Object.hasOwn(newConfig, 'token')) newConfig.token = currentConfig.token;
}

async function get(domainObject, location, type) {
    assert.strictEqual(typeof domainObject, 'object');
    assert.strictEqual(typeof location, 'string');
    assert.strictEqual(typeof type, 'string');

    const domainConfig = domainObject.config,
        zoneName = domainObject.zoneName,
        name = dns.getName(domainObject, location, type) || '@';

    await timers.setTimeout(1000); // https://desec.readthedocs.io/en/latest/rate-limits.html

    const [error, response] = await safe(superagent.get(`${DESEC_ENDPOINT}/domains/${zoneName}/rrsets/${name}/${type}`)
        .set('Authorization', `Token ${domainConfig.token}`)
        .timeout(30 * 1000)
        .retry(5)
        .ok(() => true));

    if (error) throw new BoxError(BoxError.NETWORK_ERROR, error);
    if (response.status === 404) return [];
    if (response.status === 403 || response.status === 401) throw new BoxError(BoxError.ACCESS_DENIED, formatError(response));
    if (response.status !== 200) throw new BoxError(BoxError.EXTERNAL_ERROR, formatError(response));
    if (!Array.isArray(response.body.records)) throw new BoxError(BoxError.EXTERNAL_ERROR, formatError(response));

    return response.body.records;
}

async function del(domainObject, location, type, values) {
    assert.strictEqual(typeof domainObject, 'object');
    assert.strictEqual(typeof location, 'string');
    assert.strictEqual(typeof type, 'string');
    assert(Array.isArray(values));

    const domainConfig = domainObject.config,
        zoneName = domainObject.zoneName,
        name = dns.getName(domainObject, location, type) || '@';

    await timers.setTimeout(1000); // https://desec.readthedocs.io/en/latest/rate-limits.html
    const [error, response] = await safe(superagent.del(`${DESEC_ENDPOINT}/domains/${zoneName}/rrsets/${name}/${type}/`)
        .set('Authorization', `Token ${domainConfig.token}`)
        .timeout(30 * 1000)
        .retry(5)
        .ok(() => true));

    if (error) throw new BoxError(BoxError.NETWORK_ERROR, error);
    if (response.status === 404) return;
    if (response.status === 403 || response.status === 401) throw new BoxError(BoxError.ACCESS_DENIED, formatError(response));
    if (response.status !== 204) throw new BoxError(BoxError.EXTERNAL_ERROR, formatError(response));
}

async function upsert(domainObject, location, type, values) {
    assert.strictEqual(typeof domainObject, 'object');
    assert.strictEqual(typeof location, 'string');
    assert.strictEqual(typeof type, 'string');
    assert(Array.isArray(values));

    const domainConfig = domainObject.config,
        zoneName = domainObject.zoneName,
        name = dns.getName(domainObject, location, type) || ''; // when upsert, we use '' and not '@'

    await del(domainObject, location, type, values);

    const data = {
        subname: name,
        type,
        ttl: 3600, // min
        records: values
    };

    await timers.setTimeout(1000); // https://desec.readthedocs.io/en/latest/rate-limits.html
    const [error, response] = await safe(superagent.post(`${DESEC_ENDPOINT}/domains/${zoneName}/rrsets/`)
        .set('Authorization', `Token ${domainConfig.token}`)
        .send(data)
        .timeout(30 * 1000)
        .retry(5)
        .ok(() => true));

    if (error) throw new BoxError(BoxError.NETWORK_ERROR, error);
    if (response.status === 403 || response.status === 401) throw new BoxError(BoxError.ACCESS_DENIED, formatError(response));
    if (response.status !== 201) throw new BoxError(BoxError.EXTERNAL_ERROR, formatError(response));
}

async function wait(domainObject, subdomain, type, value, options) {
    assert.strictEqual(typeof domainObject, 'object');
    assert.strictEqual(typeof subdomain, 'string');
    assert.strictEqual(typeof type, 'string');
    assert.strictEqual(typeof value, 'string');
    assert(options && typeof options === 'object'); // { interval: 5000, times: 50000 }

    const fqdn = dns.fqdn(subdomain, domainObject.domain);

    await waitForDns(fqdn, domainObject.zoneName, type, value, options);
}

async function verifyDomainConfig(domainObject) {
    assert.strictEqual(typeof domainObject, 'object');

    const domainConfig = domainObject.config,
        zoneName = domainObject.zoneName;

    if (!domainConfig.token || typeof domainConfig.token !== 'string') throw new BoxError(BoxError.BAD_FIELD, 'token must be a non-empty string');
    if ('customNameservers' in domainConfig && typeof domainConfig.customNameservers !== 'boolean') throw new BoxError(BoxError.BAD_FIELD, 'customNameservers must be a boolean');

    const ip = '127.0.0.1';

    const credentials = {
        token: domainConfig.token,
        customNameservers: !!domainConfig.customNameservers
    };

    if (constants.TEST) credentials; // this shouldn't be here

    const [error, nameservers] = await safe(dig.resolve(zoneName, 'NS', { timeout: 5000 }));
    if (error && error.code === 'ENOTFOUND') throw new BoxError(BoxError.BAD_FIELD, 'Unable to resolve nameservers for this domain');
    if (error || !nameservers) throw new BoxError(BoxError.BAD_FIELD, error ? error.message : 'Unable to get nameservers');

    if (!nameservers.every(function (n) { return n.toLowerCase().indexOf('.desec.') !== -1; })) {
        debug('verifyDomainConfig: %j does not contains deSEC NS', nameservers);
        if (!domainConfig.customNameservers) throw new BoxError(BoxError.BAD_FIELD, 'Domain nameservers are not set to deSEC');
    }

    const location = 'cloudrontestdns';

    await upsert(domainObject, location, 'A', [ ip ]);
    debug('verifyDomainConfig: Test A record added');

    await del(domainObject, location, 'A', [ ip ]);
    debug('verifyDomainConfig: Test A record removed again');

    return credentials;
}

exports = module.exports = {
    removePrivateFields,
    injectPrivateFields,
    upsert,
    get,
    del,
    wait,
    verifyDomainConfig
};
domains: add desec provider 2024-04-24 20:32:54 +02:00			`'use strict';`

use node: prefix for requires 2025-08-14 11:17:38 +05:30			`const assert = require('node:assert'),`
domains: add desec provider 2024-04-24 20:32:54 +02:00			`constants = require('../constants.js'),`
			`BoxError = require('../boxerror.js'),`
			`debug = require('debug')('box:dns/vultr'),`
			`dig = require('../dig.js'),`
			`dns = require('../dns.js'),`
			`safe = require('safetydance'),`
			`timers = require('timers/promises'),`
use the @cloudron/superagent module 2025-07-10 10:55:52 +02:00			`superagent = require('@cloudron/superagent'),`
domains: add desec provider 2024-04-24 20:32:54 +02:00			`waitForDns = require('./waitfordns.js');`

			`const DESEC_ENDPOINT = 'https://desec.io/api/v1';`

			`function formatError(response) {`
replace with custom superagent based on fetch API 2025-02-14 17:26:54 +01:00			return `deSEC DNS error [${response.status}] ${response.text}`;
domains: add desec provider 2024-04-24 20:32:54 +02:00			`}`

			`function removePrivateFields(domainObject) {`
domains: remove SECRET_PLACEHOLDER from responses 2025-10-08 12:04:31 +02:00			`delete domainObject.config.token;`
domains: add desec provider 2024-04-24 20:32:54 +02:00			`return domainObject;`
			`}`

			`function injectPrivateFields(newConfig, currentConfig) {`
domains: remove SECRET_PLACEHOLDER from responses 2025-10-08 12:04:31 +02:00			`if (!Object.hasOwn(newConfig, 'token')) newConfig.token = currentConfig.token;`
domains: add desec provider 2024-04-24 20:32:54 +02:00			`}`

			`async function get(domainObject, location, type) {`
			`assert.strictEqual(typeof domainObject, 'object');`
			`assert.strictEqual(typeof location, 'string');`
			`assert.strictEqual(typeof type, 'string');`

			`const domainConfig = domainObject.config,`
			`zoneName = domainObject.zoneName,`
			`name = dns.getName(domainObject, location, type) \|\| '@';`

			`await timers.setTimeout(1000); // https://desec.readthedocs.io/en/latest/rate-limits.html`

			const [error, response] = await safe(superagent.get(`${DESEC_ENDPOINT}/domains/${zoneName}/rrsets/${name}/${type}`)
			.set('Authorization', `Token ${domainConfig.token}`)
			`.timeout(30 * 1000)`
			`.retry(5)`
			`.ok(() => true));`

Fix assert 2024-11-19 17:08:19 +05:30			`if (error) throw new BoxError(BoxError.NETWORK_ERROR, error);`
replace with custom superagent based on fetch API 2025-02-14 17:26:54 +01:00			`if (response.status === 404) return [];`
			`if (response.status === 403 \|\| response.status === 401) throw new BoxError(BoxError.ACCESS_DENIED, formatError(response));`
			`if (response.status !== 200) throw new BoxError(BoxError.EXTERNAL_ERROR, formatError(response));`
domains: add desec provider 2024-04-24 20:32:54 +02:00			`if (!Array.isArray(response.body.records)) throw new BoxError(BoxError.EXTERNAL_ERROR, formatError(response));`

			`return response.body.records;`
			`}`

domains: remove SECRET_PLACEHOLDER from responses 2025-10-08 12:04:31 +02:00			`async function del(domainObject, location, type, values) {`
domains: add desec provider 2024-04-24 20:32:54 +02:00			`assert.strictEqual(typeof domainObject, 'object');`
			`assert.strictEqual(typeof location, 'string');`
			`assert.strictEqual(typeof type, 'string');`
			`assert(Array.isArray(values));`

			`const domainConfig = domainObject.config,`
			`zoneName = domainObject.zoneName,`
domains: remove SECRET_PLACEHOLDER from responses 2025-10-08 12:04:31 +02:00			`name = dns.getName(domainObject, location, type) \|\| '@';`
domains: add desec provider 2024-04-24 20:32:54 +02:00
			`await timers.setTimeout(1000); // https://desec.readthedocs.io/en/latest/rate-limits.html`
domains: remove SECRET_PLACEHOLDER from responses 2025-10-08 12:04:31 +02:00			const [error, response] = await safe(superagent.del(`${DESEC_ENDPOINT}/domains/${zoneName}/rrsets/${name}/${type}/`)
domains: add desec provider 2024-04-24 20:32:54 +02:00			.set('Authorization', `Token ${domainConfig.token}`)
			`.timeout(30 * 1000)`
			`.retry(5)`
			`.ok(() => true));`

Fix assert 2024-11-19 17:08:19 +05:30			`if (error) throw new BoxError(BoxError.NETWORK_ERROR, error);`
domains: remove SECRET_PLACEHOLDER from responses 2025-10-08 12:04:31 +02:00			`if (response.status === 404) return;`
replace with custom superagent based on fetch API 2025-02-14 17:26:54 +01:00			`if (response.status === 403 \|\| response.status === 401) throw new BoxError(BoxError.ACCESS_DENIED, formatError(response));`
domains: remove SECRET_PLACEHOLDER from responses 2025-10-08 12:04:31 +02:00			`if (response.status !== 204) throw new BoxError(BoxError.EXTERNAL_ERROR, formatError(response));`
domains: add desec provider 2024-04-24 20:32:54 +02:00			`}`

domains: remove SECRET_PLACEHOLDER from responses 2025-10-08 12:04:31 +02:00			`async function upsert(domainObject, location, type, values) {`
domains: add desec provider 2024-04-24 20:32:54 +02:00			`assert.strictEqual(typeof domainObject, 'object');`
			`assert.strictEqual(typeof location, 'string');`
			`assert.strictEqual(typeof type, 'string');`
			`assert(Array.isArray(values));`

			`const domainConfig = domainObject.config,`
			`zoneName = domainObject.zoneName,`
domains: remove SECRET_PLACEHOLDER from responses 2025-10-08 12:04:31 +02:00			`name = dns.getName(domainObject, location, type) \|\| ''; // when upsert, we use '' and not '@'`

			`await del(domainObject, location, type, values);`

			`const data = {`
			`subname: name,`
			`type,`
			`ttl: 3600, // min`
			`records: values`
			`};`
domains: add desec provider 2024-04-24 20:32:54 +02:00
			`await timers.setTimeout(1000); // https://desec.readthedocs.io/en/latest/rate-limits.html`
domains: remove SECRET_PLACEHOLDER from responses 2025-10-08 12:04:31 +02:00			const [error, response] = await safe(superagent.post(`${DESEC_ENDPOINT}/domains/${zoneName}/rrsets/`)
domains: add desec provider 2024-04-24 20:32:54 +02:00			.set('Authorization', `Token ${domainConfig.token}`)
domains: remove SECRET_PLACEHOLDER from responses 2025-10-08 12:04:31 +02:00			`.send(data)`
domains: add desec provider 2024-04-24 20:32:54 +02:00			`.timeout(30 * 1000)`
			`.retry(5)`
			`.ok(() => true));`

Fix assert 2024-11-19 17:08:19 +05:30			`if (error) throw new BoxError(BoxError.NETWORK_ERROR, error);`
replace with custom superagent based on fetch API 2025-02-14 17:26:54 +01:00			`if (response.status === 403 \|\| response.status === 401) throw new BoxError(BoxError.ACCESS_DENIED, formatError(response));`
domains: remove SECRET_PLACEHOLDER from responses 2025-10-08 12:04:31 +02:00			`if (response.status !== 201) throw new BoxError(BoxError.EXTERNAL_ERROR, formatError(response));`
domains: add desec provider 2024-04-24 20:32:54 +02:00			`}`

			`async function wait(domainObject, subdomain, type, value, options) {`
			`assert.strictEqual(typeof domainObject, 'object');`
			`assert.strictEqual(typeof subdomain, 'string');`
			`assert.strictEqual(typeof type, 'string');`
			`assert.strictEqual(typeof value, 'string');`
			`assert(options && typeof options === 'object'); // { interval: 5000, times: 50000 }`

			`const fqdn = dns.fqdn(subdomain, domainObject.domain);`

			`await waitForDns(fqdn, domainObject.zoneName, type, value, options);`
			`}`

			`async function verifyDomainConfig(domainObject) {`
			`assert.strictEqual(typeof domainObject, 'object');`

			`const domainConfig = domainObject.config,`
			`zoneName = domainObject.zoneName;`

			`if (!domainConfig.token \|\| typeof domainConfig.token !== 'string') throw new BoxError(BoxError.BAD_FIELD, 'token must be a non-empty string');`
domains: add option to set custom/vanity nameservers 2025-03-02 07:27:09 +01:00			`if ('customNameservers' in domainConfig && typeof domainConfig.customNameservers !== 'boolean') throw new BoxError(BoxError.BAD_FIELD, 'customNameservers must be a boolean');`
domains: add desec provider 2024-04-24 20:32:54 +02:00
			`const ip = '127.0.0.1';`

			`const credentials = {`
domains: add option to set custom/vanity nameservers 2025-03-02 07:27:09 +01:00			`token: domainConfig.token,`
			`customNameservers: !!domainConfig.customNameservers`
domains: add desec provider 2024-04-24 20:32:54 +02:00			`};`

			`if (constants.TEST) credentials; // this shouldn't be here`

			`const [error, nameservers] = await safe(dig.resolve(zoneName, 'NS', { timeout: 5000 }));`
			`if (error && error.code === 'ENOTFOUND') throw new BoxError(BoxError.BAD_FIELD, 'Unable to resolve nameservers for this domain');`
			`if (error \|\| !nameservers) throw new BoxError(BoxError.BAD_FIELD, error ? error.message : 'Unable to get nameservers');`

			`if (!nameservers.every(function (n) { return n.toLowerCase().indexOf('.desec.') !== -1; })) {`
			`debug('verifyDomainConfig: %j does not contains deSEC NS', nameservers);`
domains: add option to set custom/vanity nameservers 2025-03-02 07:27:09 +01:00			`if (!domainConfig.customNameservers) throw new BoxError(BoxError.BAD_FIELD, 'Domain nameservers are not set to deSEC');`
domains: add desec provider 2024-04-24 20:32:54 +02:00			`}`

			`const location = 'cloudrontestdns';`

			`await upsert(domainObject, location, 'A', [ ip ]);`
			`debug('verifyDomainConfig: Test A record added');`

			`await del(domainObject, location, 'A', [ ip ]);`
			`debug('verifyDomainConfig: Test A record removed again');`

			`return credentials;`
			`}`
domains: remove SECRET_PLACEHOLDER from responses 2025-10-08 12:04:31 +02:00
			`exports = module.exports = {`
			`removePrivateFields,`
			`injectPrivateFields,`
			`upsert,`
			`get,`
			`del,`
			`wait,`
			`verifyDomainConfig`
			`};`